At my employer we are currently implementing SSO with the following requirements.
- Users can be authenticated against a number of identity providers, including:
- Our SQL database, which may move to Azure Active Directory in future
- A 3rd party ADFS end point
- Custom authentication end points hosted by our customers (think asmx services)
- No social providers for the moment
- Users should be routed to the appropriate Idp based on some knowledge we have about the user (user enters email/username, we make decision on the Idp(s) to use and forward user to appropriate Idp)
We considered the following products based on the these considerations (note, there are a number of other products available, but they either didn't meet our requirements, were prohibitively expensive, or had so much marketing fluff to wade through that it was difficult to find pricing and feature set):
|Auth0||Identity Server||Azure AAD B2C|
|Reasonably priced for implementations with no custom connections||Free/Open Source, with optional paid products||Very affordable pricing, especially for the relatively small number of connections/users we needed|
|Implementation largely configuration driven with relatively small amount of code required to implement solution||Of the 3 options requires the most 'effort' to implement, potentially also provides most control||Simple 'User Flows' for common scenarios, e.g. social sign in. XML driven 'Custom Policies' for complex scenarios (ADFS, SAML, custom providers)|
|Extension via Rules and Webhooks||Extension through custom Authentication Handlers||Not clear how extensible, e.g. has ADFS 4.0 support but could you implement extension to support ADFS 2.0 or 3.0?|
|Supports ADFS 3.0||Can roll own ADFS authentication handler||Supports ADFS 4.0|
|Decent documentation||Probably sufficient documentation, perhaps not coherent enough for noobs||Lot's of documentation, much of it labeled 'Preview'|
|Solid product with good reputation||Solid product with good reputation||Newish kid on the block? Numerous features still in 'Preview'|
Our 1st stab was with Auth0, and successful it was. Alas, our requirement for a Custom Database(s) (to accommodate custom authentication endpoints) increased the price from a reasonable $2000 by almost a factor of 10.
Azure AAD B2C was evaluated next, but since most of the implementation would require 'Custom Policies' which, at the time of writing, were still in preview it was not a suitable option for a production environment.
That left Identity Server as the only viable option. It will require more effort than Auth0 to implement, and likely more effort than Azure AAD B2C, but is a solid, extensible product. And though free they provide an option to support the product through Patreon.
Now to wade through the documentation and Get it Done ™